Vulnhub Walkthrough: PwnOS 2.0

pWnOS v2.0 is a Virutal Machine Image which hosts a server to pratice penetration testing. It tests our ability to exploit the server and contain multiple entry points. Our objective is to gain root access of the machine .It was designed to be used with VMWare Workstation 7.0, but can also be used with most other virtual machine software.

Initial Analysis:

Since it was given that the target machine has a static ip address [10.10.10.100] so I create a NAT network within the 10.10.10.0/24 network range and configure the attacking machine to use this network.

The IP address can be set with the following commands.

Using a basic nmap scan we check for the ports available.

With the help of dirb, a web content scanner we find hidden web objects and directories.

From the dirb scan, it looks like there is a directory under the name blog. After moving into the directory we find the page info and found that it runs on Simple PHP Blog 0.4.0.

Exploit:

After a quick google search we find multiple exploits.

We could also also use searchsploit to find suitable exploits.

After Downloading and running the exploit we set both the username and password as admin.

After logging in with the newly set credentials we search for ways to upload a reverse shell.

After the submission of credentials the page will be re-directed to a page with upload image option.

We upload the ‘reversing.php’ file here after making the necessary changes to the ip address of the attacking machine and port number.

After uploading the file go to the 10.10.10.100/blog/images. And select the uploaded image to get the shell. Before running the reverse shell make sure to have your netcat listener up.

Getting Root Access:

After the shell is obtained, looking a bit more deeper I find a file mysqli_connect.php under the var directory which has a username and password.

With the newly found credentials we try to ssh into the server.

Now we have become the root user.

Cheers!!